
Congressional 
Research Service 

Informing the legislative debate since 1914 



The 2013 Cybersecurity Executive Order: 
Overview and Considerations for Congress 

Eric A. Fischer 

Senior Specialist in Science and Technology 

Edward C. Liu 

Legislative Attorney 

John W. Rollins 

Specialist in Terrorism and National Security 

Catherine A. Theohary 

Specialist in National Security Policy and Information Operations 
December 15, 2014 



Congressional Research Service 

7-5700 

www.crs.gov 

R42984 



CRS REPORT 

Prepared for Members and 
Committees of Congress — 



The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress 



Summary 

The federal role in cybersecurity has been a topic of discussion and debate for over a decade. 
Despite significant legislative efforts in the 1 12 th Congress on bills designed to improve the 
cybersecurity of U.S. critical infrastructure (Cl), no legislation on that issue was enacted in that 
Congress. In an effort to address the issue in the absence of enacted legislation, the White House 
issued an executive order in February 2013. Citing repeated cyber-intrusions into critical 
infrastructure and growing cyberthreats, Executive Order 13636, Improving Critical 
Infrastructure Cybersecurity, was an attempt to enhance security and resiliency of Cl through 
voluntary, collaborative efforts involving federal agencies and owners and operators of privately 
owned Cl, as well as use of existing federal regulatory authorities. 

Entities posing a significant threat to the cybersecurity of Cl assets include cyberterrorists, 
cyberspies, cyberthieves, cyberwarriors, and cyberhacktivists. E.O. 13636 has attempted to 
address such threats by, among other things, 

• expanding to other Cl sectors an existing Department of Homeland Security 
(DHS) program for information sharing and collaboration between the 
government and the private sector; 

• establishing a broadly consultative process for identifying Cl with especially high 
priority for protection; 

• requiring the National Institute of Standards and Technology (NIST) to lead in 
developing a cybersecurity framework of standards and best practices for 
protecting Cl; and 

• directing regulatory agencies to determine the adequacy of existing requirements 
and their authority to establish additional ones to address the risks. 

Among the major issues covered by the unenacted legislative proposals in the 1 12 th Congress, 
E.O. 13636 mainly addresses two: information sharing and protection of privately held critical 
infrastructure. It does not provide exemptions from liability stemming from information sharing, 
which would require changes to current law. Several of the legislative proposals included such 
changes. With respect to protection of critical infrastructure, the provisions on designation of Cl 
and identification of relevant regulations are related to those in some legislative proposals. 

In the 1 13 th Congress, some bills would provide explicit statutory authority for information- 
sharing along the lines of some bills in the 1 12 th Congress. Others would authorize activities on 
developing a cybersecurity framework similar to those in the executive order. 

The issuance of E.O. 13636, as with many other executive orders, raises questions about whether 
the order exceeds the scope of the President’s authority, in relation to the constitutional separation 
of powers and validly enacted legislation. While answers to those questions are complex, the 
executive order specifies that implementation will be consistent with applicable law and that 
nothing in the order provides regulatory authority to an agency beyond that under existing law. 

Overall, response to the executive order has been optimistic. Given the absence of comprehensive 
cybersecurity legislation, some security observers contend that the order is a necessary step in 
securing vital assets against cyberthreats. Others have argued, in contrast, that it offers little more 
than do existing processes, that it could make enactment of a bill less likely, or that it could lead 
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to government intrusiveness into private-sector activities, for example through increased 
regulation under existing statutory authority. Despite considerable progress in meeting the 
specific objectives in the executive order, especially the NIST Framework, it still appears to be 
too early in the implementation of the order to determine whether such concerns will be 
addressed to the satisfaction of critics and skeptics. 
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